search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.02k stars 419 forks source link

Can't enforce disk encryption #15817

Closed zayhanlon closed 9 months ago

zayhanlon commented 9 months ago

Fleet version: <!-- Copy this from the "My account" page in the Fleet UI, or run fleetctl --version --> 4.41 (managed cloud)

Web browser and operating system: Chrome on macOS

💥  Actual behavior

400 Bad Request error with details that 'MDM is not turned on' for a customer with MDM turned on, attempting to turn on Disk Encryption for Windows

image (16).png

🧑‍💻  Steps to reproduce

  1. When starting the server only set the following MDM configs: FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT and FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY (no Apple configs)
  2. Create a team
  3. Check box to turn on disk encryption for that team
  4. Click save

🕯️ More info (optional)

Note- this customer does not have macOS MDM turned on - could that be a factor?

pacamaster commented 9 months ago

double-checked is enabled in the tagged client cloud image image

mikermcneil commented 9 months ago

fyi broken image @zayhanlon

zayhanlon commented 9 months ago

@mikermcneil i think cause i submitted in zenhub, it does appear for me though - did you fix something?

pacamaster commented 9 months ago

redacted client log for fleetd - flacourtia-log-encryption-orbit-osquery.log

JoStableford commented 9 months ago

Related to a Slack conversation

sabrinabuckets commented 9 months ago

@roperzh on latest main, with only Windows MDM turned on, and an MSI built with either the standard build command or TUF server, I receive the following error:

disk_encryption
: 
{status: "failed",…}
detail
: 
"there was an error preparing the volume for encryption - error: prepareVolume(C:): error code returned during encryption: -2144845809"
status
: 
"failed"
roperzh commented 9 months ago

@sabrinabuckets thanks! that error seems to be that the machine doesn't have TPM enabled which is a requirement for disk encryption on Windows (fortunately a separate error)

For our future selves: we both discussed opening a separate ticket, but I think this is the expected behavior as long as it shows as "failed" in the "controls" page

sabrinabuckets commented 9 months ago

Successfully able to configure and verify Disk encryption on Windows hosts with only Windows MDM configured and with both macOS & Windows MDM configured.

fleet-release commented 9 months ago

Encryption's key, In cloud city, disks secure, Fleet's trust in code weaves.